Skip to content
Branch: master
Find file Copy path
Find file Copy path
4 contributors

Users who have contributed to this file

@gnawux @nitkon @jcvenegas @jodh-intel
220 lines (158 sloc) 6.33 KB

How to use Kata Containers and CRI (containerd plugin) with Kubernetes

This document describes how to set up a single-machine Kubernetes (k8s) cluster.

The Kubernetes cluster will use the CRI containerd plugin and Kata Containers to launch untrusted workloads.

For Kata Containers 1.5.0-rc2 and above, we will use containerd-shim-kata-v2 (short as shimv2 in this documentation) to launch Kata Containers. For the previous version of Kata Containers, the Pods are launched with kata-runtime.


  • Kubernetes, kubelet, kubeadm
  • containerd with cri plug-in
  • Kata Containers

Note: For information about the supported versions of these components, see the Kata Containers versions.yaml file.

Install and configure containerd

First, follow the How to use Kata Containers and Containerd to install and configure containerd. Then, make sure the containerd works with the examples in it.

Install and configure Kubernetes

Install Kubernetes

  • Follow the instructions for kubeadm installation.

  • Check kubeadm is now available

    $ command -v kubeadm

Configure Kubelet to use containerd

In order to allow kubelet to use containerd (using the CRI interface), configure the service to point to the containerd socket.

  • Configure Kubernetes to use containerd

    $ sudo mkdir -p  /etc/systemd/system/kubelet.service.d/
    $ cat << EOF | sudo tee  /etc/systemd/system/kubelet.service.d/0-containerd.conf
    Environment="KUBELET_EXTRA_ARGS=--container-runtime=remote --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock"
  • Inform systemd about the new configuration

    $ sudo systemctl daemon-reload

Configure HTTP proxy - OPTIONAL

If you are behind a proxy, use the following script to configure your proxy for docker, kubelet, and containerd:

$ services="

$ for service in ${services}; do

    sudo mkdir -p ${service_dir}

    cat << EOT | sudo tee "${service_dir}/proxy.conf"

$ sudo systemctl daemon-reload

Start Kubernetes

  • Make sure containerd is up and running

    $ sudo systemctl restart containerd
    $ sudo systemctl status containerd
  • Prevent conflicts between docker iptables (packet filtering) rules and k8s pod communication

    If Docker is installed on the node, it is necessary to modify the rule below. See for further details.

    $ sudo iptables -P FORWARD ACCEPT
  • Start cluster using kubeadm

    $ sudo kubeadm init --skip-preflight-checks --cri-socket /run/containerd/containerd.sock --pod-network-cidr=
    $ export KUBECONFIG=/etc/kubernetes/admin.conf
    $ sudo -E kubectl get nodes
    $ sudo -E kubectl get pods

Install a Pod Network

A pod network plugin is needed to allow pods to communicate with each other.

  • Install the flannel plugin by following the Using kubeadm to Create a Cluster guide, starting from the Installing a pod network section.

  • Create a pod network using flannel

    Note: There is no known way to determine programmatically the best version (commit) to use. See

    $ sudo -E kubectl apply -f
  • Wait for the pod network to become available

    # number of seconds to wait for pod network to become available
    $ timeout_dns=420
    $ while [ "$timeout_dns" -gt 0 ]; do
        if sudo -E kubectl get pods --all-namespaces | grep dns | grep Running; then
        sleep 1s
  • Check the pod network is running

    $ sudo -E kubectl get pods --all-namespaces | grep dns | grep Running && echo "OK" || ( echo "FAIL" && false )

Allow pods to run in the master node

By default, the cluster will not schedule pods in the master node. To enable master node scheduling:

$ sudo -E kubectl taint nodes --all

Create an untrusted pod using Kata Containers

By default, all pods are created with the default runtime configured in CRI containerd plugin.

If a pod has the io.kubernetes.cri.untrusted-workload annotation set to "true", the CRI plugin runs the pod with the Kata Containers runtime.

  • Create an untrusted pod configuration

    $ cat << EOT | tee nginx-untrusted.yaml
    apiVersion: v1
    kind: Pod
      name: nginx-untrusted
        io.kubernetes.cri.untrusted-workload: "true"
      - name: nginx
        image: nginx
  • Create an untrusted pod

    $ sudo -E kubectl apply -f nginx-untrusted.yaml
  • Check pod is running

    $ sudo -E kubectl get pods
  • Check hypervisor is running

    $ ps aux | grep qemu

Delete created pod

$ sudo -E kubectl delete -f nginx-untrusted.yaml
You can’t perform that action at this time.